The Spanish Data Protection watchdog (AEPD) has begun a preliminary probe into the official app for Spanish football league, La Liga, which allows them access to the microphones and GPS of users' smartphones with the aim of potentially identifying showings of football games in the vicinity of the user that are illegal.
La Liga currently claims that its app has been downloaded over 10 million times. A new functionality was added in June 2018 which enables access to the sound recording and location functions on smartphones of users. By deploying an algorithm against the audio being recorded together with GPS information, La Liga claims that it can then accurately identify when football matches are being publicly shown near to a user and then compare this with their records to see whether a licence is in place for showing the game publicly. This method has been launched as part of a wider crack down on unauthorised broadcasts of football games in Spain which La Liga claims are the cause of major revenue losses estimated at €150 million each year. The league's governing body LFP said it has "a responsibility to protect the clubs and their fans" from unlicensed broadcasts in public places.
The new functionality has raised numerous privacy and security concerns amongst users of the app who have accused La Liga of excessive privacy interference. However La Liga has explained that its users must first expressly consent to the utilisation of the microphone and location services for the app's monitoring to function with two tick boxes being offered; checking the first box confirms that a user has read the app's standard terms and conditions, but checking the second box constitutes the user agreeing to the app's use of the data solely in relation to the microphone and GPS for the new functionality. Importantly, checking the second box is not required for users to use the app and users can revoke their consent to this element at any time. La Liga has further guaranteed that it only has extremely limited access to the audio recordings captured and that install outputs are turned into irreversible binary code which La Liga claims contains no personal data.
The introduction of the General Data Protection Regulation (GDPR) in May 2018 has afforded a significant latitude and broad powers to data protection authorities such as the AEPD to levy sanctions of up to 4% of a company's global annual sales for the most serious breaches. Given the increased profile data protection issues now have users are increasingly aware of their rights and, as the La Liga issue demonstrates, organisations should take care to ensure their users are fully aware of exactly what personal data are being processed and for what purposes.